I don't disagree with you one bit - I was simply making a similar point, they are fly below the radar, with that intent. But there are ways to make pre-emptive signatures based on tracking certain phishing/spam/porn rings and noting their serial pattern. This is how you detect "below the radar" attacks. This isn't for prevention, but detection only. I don't agree with signatures as a reactive response to most problems, rather I believe in problem response as a whole. These class of attacks have been definitely observed since the Korgo/Padonock days and have been going nice and steady for these rings quite frequently. The time to discovery by AV vendors that we have observed has been from 2 weeks, all the way to 9 months. Low distribution, low detection and it allows for rapid deployment. And slight modifications in variants at such rapid deployment tends to cause problems for AV vendors in general. I think to sum it up, we're on the same page - the snort sigs that were avail were designed to look at trojans such as these in a general problem response by examing the way they are packed, rather than just the specific malware. -Lance James Ken Kousky wrote: > Are we missing the point. Hope this isn't too long but here goes ..... > > Worms and viruses spread and get found out but there's a large class of > Trojan who don't want to be found out. > > The propagation vector matters a lot if we can use it as a means of finding > malware and capturing signatures. Worms, Spam and viruses that have broad > propagation scheme get found out pretty fast - that's the good part of their > efforts to spread but not all malware wants to spread so recklessly. > > Sometimes it's more important to remain undiscovered which is more likely > the case in the world of Trojans. > > Last year IP3 focused a great deal of analysis on what we called > Singularities - non-signatured exploits due to their low volume presence. > This goes way beyond day zero since some reported Trojans hit day 1,000 > without being discovered! > > Spam, defacement or propagation proof-of-concept worms all have been > reasonably controlled because of their expansive propagation which leads to > their discovery. > > Most economic exploits including ddos zombie nets or identity theft > campaigns could easily continue to use these same kind of exploits, like WMF > and are not likely to show up unless they're reckless in distributing > phishing emails or eventually launching a worm that propagates into a > discovery zone. > > The same root problems that gave rise to WMF will persist in many > server-side applications for years to come. > > The point is that we may spend way to much time looking at the mass mailer > variants and not enough time looking at the targeted and purposeful > exploits. > > Remember, these exposures existed across our Microsoft platforms for over a > decade. The exposure didn't begin with it's public disclosure or patch > release. > > Because gaming and pornography continue to be major revenue streams for > online providers and because they get very little protection through law > enforcement, even when legal enterprises, we've allowed a very lucrative > extortion industry to thrive with individuals well paid to find these > vulnerabilities. It's hard to believe the potential disparity in good-guy vs > bad-guy spending on exploring for openings. > > We've cataloged hundreds of buffer overflow patches over the last year alone > that prove that virtually all enterprises have been widely exposed and have > little or no way of knowing if anything other than a widely propagating (and > therefore signatured) exploit has occurred. > > Signatures filters do not fix the WMF exposure but they've done a great job > stopping most of the propagations but it's not the whole story. > > -----Original Message----- > From: Lance James [mailto:bugtraq@xxxxxxxxxxxxxxxxx] > Sent: Friday, February 17, 2006 2:03 PM > To: bugtraq@xxxxxxxxxxxxxxxxx > Cc: full-disclosure@xxxxxxxxxxxxxxxxx > Subject: Re: First WMF mass mailer ItW (phishing Trojan) > > Gadi Evron wrote: > >> The first worm (mass mailer) to (ab)use the WMF 0day is now spreading in >> Australia. >> >> > Respectfully speaking: > > There are a few corrections to this that need to be expressed. > > The language you're using describing it as a mass-mailing worm is coming > off confusing to some. The WMF exploit is actually seeded on a website, > and the mass-mailing is used to get people to go to that site. Stating > that it's a worm is similar to saying that phishing emails and spam are > worms. I have seen some actual phishing worms, and this is definitely > not it. > > A correction also needs to be made on this comment > > "Abusing websites is mostly how WMF is > exploited, but no much in the way of emails before today." > > > This is grossly incorrect - here are the dates we started seeing this > activity: > > January 3rd - WMF exploit distributing identified phishing trojan > January 9/10th - WMF exploit distributing identified phishing trojan > Jan 18th/19th - WMF exploit distributing identified phishing trojan > Jan 22nd-25th - WMF exploit distributing identified phishing trojan > Jan 24th - WMF exploit distributing identified phishing trojan > > > I can go into February but we get the point. > > This same phishing group works in regions, so it's not surprising that > they are now targeting Australia. They are also targeting Europe as well > in February. > > Summary: > WMF Mass-Mailing phishing has not been uncommon, just in small > distributions, so it may have not been seen on the radar. Since the > public discovery of the WMF exploit, there have been a few mass-mailings > taking users to a site that distributed WMF exploits to date. > > >
